Story image

Combatting the rise of Cybercrime-as-a-Service

07 Nov 18

Article by ESET senior research fellow Righard Zwienenberg

As cybercriminals have grown more sophisticated, hacking into systems can be as simple as downloading the right software from the dark web, then deploying it to the target.

Now, new developments in cybercrime mean that those with ambitions to create havoc online can do so with only the most rudimentary knowledge by taking advantage of Cybercrime-as-a-Service (CaaS). 

No longer the exclusive purview of criminals, cybercrime is now peddled freely on the surface web.

A simple internet search yields many results, which means amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. 

This becomes more worrisome in the digital age, when people are increasingly comfortable storing their personal data, such as credit card details and medical records, in the cloud.

Combined cloud computing, connected devices, and the Internet of Things (IoT) create a treasure trove of information and potential weak points that cybercriminals can exploit. 

The rewards for this illegal activity can be significant.

A recent study found that cybercrime can pay from tens of thousands of dollars to millions of dollars every year.

And one of the key ways cybercriminals can earn money is to sell tools that can be used to hack others. 

It’s long been known that the dark web houses various hacking tools for sale, along with user manuals that provide a step-by-step guide to help even the newest of ambitious criminals get up and running quickly.

Some of these CaaS providers even provide helpdesk services, further highlighting the level of organisation and professionalism in these communities. 

A complete set of tools for hacking Wi-Fi networks and stealing personal information costs as little as US$125; not a hefty price tag considering the potential damage it could do, and the rewards it could deliver for the cybercriminal.

As well as being cheap, cybercrime is relatively low-risk, especially when considering the potential for profit.

And it only takes a modicum of technical capability for cybercriminals to hide their tracks well enough to make capture an almost laughable concept. 

When it comes to getting caught, a loophole in most countries’ laws means hiring a hacker is not illegal.

In fact, many reputable businesses hire so-called ‘white hat’ hackers to test their cybersecurity defences and find potential loopholes so they can protect themselves more effectively. 

Internationally, there is not yet any unified law that can indict cybercriminals that commit transnational crime.

So, even if a cybercriminal is caught, the authorities may not be able to prosecute.

Furthermore, even in countries where cybercrime is prosecutable, something that’s illegal in one country might be perfectly legal in another, creating another legal grey area.

This contributes to the challenges in prosecuting cybercriminals who launch cross-border attacks. 

This means that victims of cybercrime have very little recourse under the law, so the best approach is to implement security measures that protect against successful attacks. 

These include installing security updates as soon as they become available, using complex passwords and multi-factor authentication, avoiding shared passwords across different accounts, and using antivirus tools with regular scans. 

It’s also essential to ensure all employees are well aware of the risk of phishing attacks, and know how to identify an attack, as well as what to do if they suspect they’re being targeted. 

As well as taking individual responsibility for cybersecurity, it’s important that other organisations recognise the role they can play in protecting end users, and act accordingly.

Internet service providers (ISPs) can employ machine learning tools to proactively identify suspicious activity and deal with it before it spreads through the network. 

Governments should also invest in cybersecurity talent.

With a greater talent pool, better cybersecurity measures can be developed.

Governments are already moving in this direction by implementing privacy legislation that requires businesses to take responsibility for protecting individuals’ information.

In Australia, the mandatory notifiable data breaches (NDB) scheme is already in full swing, while Europe’s General Data Protection Regulation (GDPR) has also taken effect.

Initiatives like these aim to create a safer online environment while making organisations responsible for the data they own and store. 

However, laws are only part of the equation.

It’s also important to have global, unified accords that help make cybercrime less risk-free and lucrative.

By working on ways to detect and prosecute cybercriminals, law enforcement agencies can reduce the significant risk posed by CaaS and other mainstream cybercrime tools. 

Combatting the rise of Cybercrime-as-a-Service
Amateur cybercriminals (or anyone with a grudge), can execute spam attacks, steal people’s identities, and more. 
Dell EMC advances hybrid cloud for VMware environments
Through collaboration and joint engineering, Dell EMC and VMware are enabling organisations to derive more value from IT investments.
ThreatQuotient partners with Visa for payments safety
“Cyber criminals are reusing tactics, techniques and procedures, leaving a recognisable trail of breadcrumbs and insights into the very attacks they are launching.”
Gartner names Bitglass a leader in cloud security
Bitglass was evaluated based on its ability to execute and its completeness of vision.
Universities seeing rise in DDoS attacks
Overall, between July and September, DDoS botnets attacked targets in 82 countries.
Security cameras – a latent botnet network?
In a comparison of 16 indoor and outdoor IP surveillance cameras, researchers found only one well-protected device.
2018’s worst malware revealed in report
Webroot has highlighted the top cyberattacks of 2018 in its latest Nastiest Malware list, which showcases the malware and attack payloads that have been most detrimental to organisations.
How phishing is evolving to outpace awareness
While email providers have made strides in flagging suspicious emails and source domains, reducing the effectiveness of attacks, attackers’ techniques have also evolved.